Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Visitor 1

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

The Partner Security Requirements indicate that you will have to enable the "Baseline policy: End user protection" option, but there is a confusing item in the description regarding Legacy Protocols:

 

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-baseline-protect-end-users#deployment-considerations

 

"To ensure that MFA is required when logging into an account and bad actors aren’t able to bypass MFA, this policy blocks all authentication requests made to administrator accounts from legacy protocols."

 

The assumption from that statement is that the policy will only block legacy protocols for administrator accounts rather than all user accounts. In other places, it is unclear or implies all user accounts are affected. It would be nice for someone to clarify if the implication is that with the baseline policy enabled that it specifically will allow app passwords and legacy protocols to be used for user accounts which are NOT administrators.

 

Moderator

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

@cjmod I would like to provide some additional information. The language in the contract states that partners are required to enforce MFA for each user in their partner tenant. This can be accomplished in one of the following ways 

  • Implementation of the baseline policies
  • Azure AD P1/2
  • Third party solution that is compatible with Azure AD

The documentation you are referencing is stating the same thing but in a differnt way. I can confirm if a partner has a third party solution that enforces MFA for each user in their partner tenant, when accessing Microsoft commerical cloud services, then they do not need to enable the baseline policies or purchase Azure AD P1/2. We will take your feedback into consideration as we continue to enhance our documentation.


Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
Microsoft

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

@positroncs :

End user baseline policy will impact legacy protocols also for normal users. 

In order to use app passwords, AzureAD premium Plan1 is needed and MFA need to be enabled on the user account (not via any conditional access rules).

Highlighted
Level 2 Contributor

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

i have disabled the 2 baseline policies and enabled MFA for all users. All users have Azure Premium Plan 1.

But I don't see the app-password capabilities in https://myprofile.microsoft.com or https://mysignins.microsoft.com on the service accounts. App Password is not available

 

Any hints ??

Level 1 Contributor

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)


@JanoschUlmer wrote:

@positroncs :

In order to use app passwords, AzureAD premium Plan1 is needed and MFA need to be enabled on the user account (not via any conditional access rules).


AzureAD Premium is not necessary to enable app passwords.  We do so just fine on our plan with the free version.

Level 1 Contributor

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)


@Morten_Knudsen wrote:

i have disabled the 2 baseline policies and enabled MFA for all users. All users have Azure Premium Plan 1.

But I don't see the app-password capabilities in https://myprofile.microsoft.com or https://mysignins.microsoft.com on the service accounts. App Password is not available

 

Any hints ??


You need to enable MFA via the Azure Dashboard -> Users -> Multi-Factor Authentication.  Then the option will appear.

Level 2 Contributor

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

I solved it by 'require register MFA' on the user, then it was possible. Thanx

Microsoft

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

@firefox15 Only MFA for global admins or baseline policies are free, for all other scenarios a license is required. See also this overview: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing

Also when Office 365 Enterprise licenses are available in the tenant, MFA can be enabled per user.

 

Note that once you have a single license that includes MFA features in the tenant, it is possible to enable MFA for all users. Still there is a licensing requirement that each user needs to have a license (if he is not a global admin - of course it is not recommended to make every user a global admin to lower licensing costs).

Visitor 1

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

You and other documentation keep saying "exclude users from baseline policy". The only way to do this seems to be to make a new policy by guessing what's in the "baseline" one. How are we supposed to know we got this right?

 

BTW: Of couse you say this "of course it is not recommended to make every user a global admin" but it's not what you're actually doing.

 

(Edit: silly typo)

Microsoft

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

@msjunk9 : You got it right when all you made sure that for all users MFA is enabled & enforced via any of the available methods. You don't need to configure your own policies exactly like the baseline policies - for conditional access policies you just need to make sure that you enable MFA as control.

 

There are multiple options for the "right" design, e.g.

UserA is not targeted by conditional access policies, but MFA is enabled directly in the user configuration

UserB is targetd by conditional access rule 1 - where MFA is enabled as control

UserC is targeted by conditional access rule 2 - where MFA is enabled and the condition is added that access may only happen from certain location.

 

The "MFA for Admins" baseline policy is basically a conditional access policy where only users with adminsitrative roles are targeted, under conditions all cloud apps/services are chosen and MFA is enabled as only control.

The end user protection baseline policy does actually use Identity Protection features - but enabling Identity Protection is not mandatory for CSP Partners, only that user goas through MFA is. So if you want to build your own policy targeting end users just make sure that you enable MFA as control in the policy and let it apply to all apps. You can additionally define Identity Protection risk policies when you have AzureAD Premium Plan2, but this is not required.

 

 

Level 1 Contributor

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

Does your statement for the exception of risk based MFA also when you require MFA except when using when using AADJ+/AADJ devices for all users?

Microsoft

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

@RobinVermeirsch : I'm not sure I understand the question - how are the risk based MFA policies related to AADJ devices?

AADJ devices should not be excluded from MFA requirements however. On those devices the user might not see the MFA prompt since those devices might already contain a MFA claim

So you would still enforce MFA as control in a conditional access policy for users accessing the services from these devices, you can however require a Hybrid joined device as additional control.